Control Panel gone

[glynis35]

Please help - something has happened to my computer. My control panel has disappeared - I cannot access any computer information or Task Manager as it says they have been disabled by administrator. I cannot get online except in Safe Mode and Internet Explorer has been changed from default browser. I also have a 'copying Files' that keeps appearing without warning. I have Comodo Firewall and this has been turned off and will not open. Also have Spybot but this will not open either. I had a similar problem recently and fixed it with Combofix but this has not worked this time. Avast scan does not find anything. Have run Panda scan as requested and log is attached.
Have also downloaded and run Spyware Blaster and IE-Spyad.

[sUBs]

Quote:

I had a similar problem recently and fixed it with Combofix but this has not worked this time.

Show me ComboFix's log.

[glynis35]

ComboFix log attached


ComboFix 07-12-19.2 - glynis 2007-12-19 17:01:42.2 - NTFSx86
Running from: C:\Documents and Settings\glynis\Local Settings\Temporary Internet Files\Content.IE5\2ZUX0ZCL\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\alan\Application Data\trant.exe
C:\Documents and Settings\alan\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
C:\Documents and Settings\glynis\Start Menu\Programs\Startup\infos.exe
C:\Program Files\Ultimate Defender
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\G691C.tmp.exe
C:\WINDOWS\system32\G862C.tmp.exe
C:\WINDOWS\system32\GF0DA.tmp.exe
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\winter.exe
C:\WINDOWS\system32\wowfx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSUPDATE
-------\msupdate


((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-19 12:22 . 2007-12-19 12:22 16,384 --a------ C:\WINDOWS\windisk.dll
2007-12-19 12:04 . 2007-12-19 12:04 28,929 --a------ C:\WINDOWS\trayicons.exe
2007-12-18 23:29 . 2007-12-18 23:29 93 -r-hsc--- C:\autorun.inf
2007-12-18 23:26 . 2007-12-19 12:02 662 --a------ C:\WINDOWS\rem.reg
2007-12-18 23:22 . 2007-12-18 23:23 11,776 --a------ C:\WINDOWS\wsystmp_hkx.exe
2007-12-18 18:24 . 2007-12-18 18:25 <DIR> d-------- C:\Documents and Settings\glynis\Application Data\AdwareAlert
2007-12-18 18:23 . 2007-12-18 18:33 <DIR> d-------- C:\Program Files\AdwareAlert
2007-12-18 16:22 . 2007-12-18 16:22 0 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2007-12-18 15:42 . 2007-12-18 15:42 89,088 --a------ C:\WINDOWS\wsystmp_vxe.exe
2007-12-18 15:42 . 2007-12-18 15:42 89,088 ---hs---- C:\WINDOWS\system32\winsn.exe
2007-12-18 15:42 . 2007-12-18 15:42 89,088 ---hs---- C:\WINDOWS\system32\shovth.exe
2007-12-18 15:42 . 2007-12-18 15:42 89,088 ---hsc--- C:\CCAF0176.exe
2007-12-18 15:42 . 2007-12-19 16:51 28,929 --a------ C:\WINDOWS\system32\winsos.exe
2007-12-18 11:12 . 2007-10-10 23:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-18 11:12 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-18 11:12 . 2007-07-01 03:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-18 11:12 . 2007-10-10 23:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-18 11:12 . 2007-10-10 23:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-18 11:12 . 2007-10-10 23:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-18 11:12 . 2007-10-10 23:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-18 11:12 . 2007-10-10 23:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-18 11:12 . 2007-10-10 10:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-12 19:50 . 2007-12-12 19:50 <DIR> d-------- C:\Documents and Settings\glynis\Application Data\Samsung
2007-12-12 19:44 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2007-12-12 19:44 . 2005-08-30 01:49 94,000 --a------ C:\WINDOWS\system32\drivers\ssm_mdm.sys
2007-12-12 19:44 . 2005-08-30 01:47 58,320 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys
2007-12-12 19:44 . 2005-08-30 01:49 8,336 --a------ C:\WINDOWS\system32\drivers\ssm_mdfl.sys
2007-12-12 19:44 . 2005-08-30 01:49 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cmnt.sys
2007-12-12 19:44 . 2005-08-30 01:49 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cm.sys
2007-12-12 19:44 . 2005-08-30 01:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys
2007-12-12 19:44 . 2005-08-30 01:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys
2007-12-12 19:43 . 2007-12-12 19:44 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2007-12-12 19:42 . 2007-12-12 19:42 <DIR> d-------- C:\Program Files\Samsung
2007-12-12 19:42 . 2006-07-24 16:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2007-12-12 19:42 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-10 16:39 . 2007-12-10 16:39 <DIR> d----c--- C:\Documents and Settings\Alex\Application Data\Template
2007-12-10 16:39 . 2007-12-10 20:54 136 --a--c--- C:\Documents and Settings\Alex\Application Data\wklnhst.dat
2007-11-22 13:58 . 2007-11-22 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeptunesAdve
2007-11-19 15:44 . 2007-11-19 15:44 23 --a------ C:\WINDOWS\cdplayer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 19:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-09 12:45 552 ----a-w C:\Documents and Settings\glynis\Application Data\wklnhst.dat
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 13:58 --------- d-----w C:\Program Files\Real
2007-11-23 19:14 --------- d-----w C:\Documents and Settings\beth\Application Data\Spamihilator
2007-11-18 17:06 --------- d-----w C:\Documents and Settings\nia\Application Data\Creative
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 11:51 --------- d-----w C:\Program Files\3DGroove
2007-11-07 10:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-07 10:09 --------- d-----w C:\Documents and Settings\beth\Application Data\Comodo
2007-11-04 21:01 180 ----a-w C:\Documents and Settings\nia\Application Data\wklnhst.dat
2007-11-04 18:16 --------- d-----w C:\Program Files\DivX
2007-10-30 18:33 --------- d-----w C:\Documents and Settings\nia\Application Data\Spamihilator
2007-10-30 18:33 --------- d-----w C:\Documents and Settings\nia\Application Data\Comodo
2007-10-29 21:00 --------- d-----w C:\Documents and Settings\glynis\Application Data\Creative
2007-10-28 08:12 --------- dc----w C:\Documents and Settings\Alex\Application Data\Spamihilator
2007-10-28 08:12 --------- dc----w C:\Documents and Settings\Alex\Application Data\Comodo
2007-10-27 03:24 --------- dc----w C:\Documents and Settings\alan\Application Data\Spamihilator
2007-10-27 03:24 --------- dc----w C:\Documents and Settings\alan\Application Data\Comodo
2007-10-26 21:20 --------- d-----w C:\Documents and Settings\glynis\Application Data\Spamihilator
2007-10-26 21:15 --------- d-----w C:\Program Files\Spamihilator
2007-10-26 21:11 --------- d-----w C:\Documents and Settings\glynis\Application Data\MailWasherPro
2007-10-26 20:42 --------- d-----w C:\Program Files\Windows Defender
2007-10-26 20:24 --------- d-----w C:\Documents and Settings\glynis\Application Data\Comodo
2007-10-26 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2007-10-26 20:21 --------- d-----w C:\Program Files\Comodo
2007-10-26 20:15 --------- d-----w C:\Program Files\CyberLink
2007-10-22 00:39 --------- dc----w C:\Documents and Settings\alan\Application Data\McAfee.com Personal Firewall
2007-07-31 19:48 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-07-31 19:06 278,528 ----a-w C:\Program Files\Common Files\FDEUnInstaller.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-18_20.51.47.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-08 21:16:26 11,776 ----a-w C:\WINDOWS\inetsrv.exe
+ 2006-12-02 14:28:04 60,416 ----a-w C:\WINDOWS\system32\drivers\maujbsvx.sys
+ 2007-12-19 17:26:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhilipsLime"="C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" [2005-09-08 15:10]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-02 17:05]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 19:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 14:04]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 C:\WINDOWS\system32\HdAShCut.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 03:51]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 09:32]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 09:29]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 09:32]
"CHotkey"="zHotkey.exe" [2005-05-03 13:02 C:\WINDOWS\zHotkey.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-07-13 09:37 C:\WINDOWS\RTHDCPL.EXE]
"dmaug.exe"="C:\WINDOWS\system32\dmaug.exe" []
"dmagp.exe"="C:\WINDOWS\system32\dmagp.exe" []
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-09-14 22:12]
"dmlkp.exe"="C:\WINDOWS\system32\dmlkp.exe" []
"dmtlq.exe"="C:\WINDOWS\system32\dmtlq.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-24 19:59]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 00:11]
"V0220Mon.exe"="C:\WINDOWS\V0220Mon.exe" [2006-06-28 17:01]
"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [2006-01-09 02:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00]
"CONNECTScheduler"="C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [2005-11-15 02:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-10-26 20:21]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"Spamihilator"="C:\Program Files\Spamihilator\spamihilator.exe" [2007-08-17 15:24]
"sis32"="C:\WINDOWS\system32\winsos.exe" [2007-12-19 17:30]
"winroot"="C:\WINDOWS\system32\winsn.exe" [2007-12-18 15:42]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 19:00]

C:\Documents and Settings\glynis\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-07-31 20:28:07]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
CONNECTAUTrayApp.lnk - C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe [2005-11-15 02:54:01]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2007-07-31 06:34:13]


.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 18:25:06 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert.glynisWRuns AdwareAlert to scan your computer for malicious and potenially unwanted programs.
"2007-12-19 17:21:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-19 17:29:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 17:27:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-19 17:33:27 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-18 20:53
.
2007-12-19 11:57:54 --- E O F ---

[sUBs]

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/205123-control-panel-gone.html
Collect::
C:\WINDOWS\windisk.dll
C:\WINDOWS\trayicons.exe
C:\WINDOWS\rem.reg
C:\WINDOWS\wsystmp_hkx.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\wsystmp_vxe.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\shovth.exe
C:\CCAF0176.exe
C:\WINDOWS\system32\winsos.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmaug.exe"=-
"dmagp.exe"=-
"dmlkp.exe"=-
"dmtlq.exe"=-
"sis32"=-
"winroot"=-

Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include fresh logs from:

1. Fresh Hijackthis log taken just before replying
2. Online scan
3. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[glynis35]

Lots of problems with this - ComboFix will not run - have dragged CFScipt file and pressed Run but nothing happens. Also when I go to Kaspersky, I get no ActiveX prompt and no download. I am in Safe Mode but this is the only way to get online as just gettting Page cannot be displayed when normal. Did get new Hijackthis log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:01, on 2007-12-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [dmaug.exe] C:\WINDOWS\system32\dmaug.exe
O4 - HKLM\..\Run: [dmagp.exe] C:\WINDOWS\system32\dmagp.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [dmlkp.exe] C:\WINDOWS\system32\dmlkp.exe
O4 - HKLM\..\Run: [dmtlq.exe] C:\WINDOWS\system32\dmtlq.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [Medichi] medichi.exe
O4 - HKLM\..\Run: [Medichi2] medichi2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] "C:\Program Files\SpywareBot\SpywareBot.exe" -boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-920229936-1490318481-1441602082-1007\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" (User 'glynis')
O4 - HKUS\S-1-5-21-920229936-1490318481-1441602082-1007\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User 'glynis')
O4 - HKUS\S-1-5-21-920229936-1490318481-1441602082-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'glynis')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: murka.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9505 bytes

[sUBs]

Quote:

ots of problems with this - ComboFix will not run - have dragged CFScipt file and pressed Run

Describe how it did not work. Is ComboFix.exe not saved on your Desktop? Where did we get the "RUN" from?

[glynis35]

ComboFix is saved to desktop. When I drag CFScript into it it opens window asking if I want to run program as publisher is unknown. When I click Yes - nothing happens.

[sUBs]

Try this ... > http://marsbox.com/blog/howtos/disab...s-file-prompt/

[glynis35]

Prompt window does not now appear but ComboFix still does not start. Nothing happens at all. Have managed to run Kaspersky scan - log attached.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 25, 2007 7:41:56 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/12/2007
Kaspersky Anti-Virus database records: 493039
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\glynis\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 18784
Number of viruses found: 4
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:17:22

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\medichi.exe Infected: Trojan-Downloader.Win32.Small.hhm skipped
C:\WINDOWS\medichi2.exe Infected: Trojan.Win32.Small.wv skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\beep.sys Infected: Trojan.Win32.Obfuscated.ml skipped
C:\WINDOWS\system32\drivers\beep.sys Infected: Trojan.Win32.Obfuscated.ml skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ASHeuristic\beep_sys.vir Infected: Trojan.Win32.Obfuscated.ml skipped
C:\WINDOWS\Temp\ASHeuristic\beep_sys.vir0 Infected: Trojan.Win32.Obfuscated.ml skipped
C:\WINDOWS\windisk.dll Infected: Trojan-Downloader.Win32.Small.hga skipped
C:\DOCUME~1\glynis\LOCALS~1\Temp\~DF8F2C.tmp Object is locked skipped
C:\DOCUME~1\glynis\LOCALS~1\Temp\~DF8F38.tmp Object is locked skipped

Scan process completed.

[sUBs]

Quote:

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\glynis\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 18784
Number of viruses found: 4
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:17:22

I wanted a scan of the entire computer. Not just critical areas. This won't do

[sUBs]

## Do not perform the FULL Kaspersky scan yet.
Do this first ... everything must be in sequence.

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
del /a/f C:\WINDOWS\system32\dllcache\beep.sys
attrib -h -r -s  -a C:\WINDOWS\system32\beep.sys
ren C:\WINDOWS\system32\beep.sys beep.sys.vir

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

After running Fix.bat, reboot the machine
Then try dragging CScript into ComboFix.exe again.

[glynis35]

Sorry - have done this and ran fix.bat but ComboFix still will not start. I have tried in Safe and normal. However I seem to be getting intermittent internet access in normal now - it works for a while and then freezes and returns me to Page cannot be Displayed. If I reboot, it works for a few minutes again.

[sUBs]

Quote:

Sorry - have done this and ran fix.bat but ComboFix still will not start.

Please try running ComboFix without using CFScript. Just double click on ComboFix.exe

[glynis35]

It makes no difference - nothing happening.